PatchSiren cyber security CVE debrief
CVE-2026-2651 mlflow CVE debrief
A critical authorization bypass vulnerability in MLflow's multipart upload (MPU) endpoints allows authenticated attackers to overwrite artifacts belonging to other users when `--serve-artifacts` mode is enabled. The flaw stems from missing resource-level permission checks on `/mlflow-artifacts/mpu/*` endpoints, enabling cross-user write access. This can result in model supply chain poisoning and arbitrary code execution when compromised models are subsequently loaded by victims. The vulnerability affects MLflow versions through 3.10.1.dev0 and was resolved in version 3.10.0.
- Vendor
- mlflow
- Product
- mlflow/mlflow
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running MLflow with `--serve-artifacts` enabled in multi-user or shared environments, particularly those using MLflow for model registry and artifact storage in production ML pipelines. Security teams responsible for MLOps infrastructure and supply chain integrity should prioritize this vulnerability due to the direct path to arbitrary code execution through model poisoning.
Technical summary
The vulnerability exists in MLflow's artifact serving implementation when `--serve-artifacts` mode is active. The `/mlflow-artifacts/mpu/*` endpoints, which handle multipart uploads for large artifact storage, fail to enforce resource-level authorization checks. An attacker with valid credentials can craft requests to these endpoints to overwrite artifacts owned by other users or organizations sharing the same MLflow instance. Because MLflow artifacts frequently include serialized machine learning models, successful exploitation enables model supply chain attacks—attackers can inject malicious code into model files that executes when victims load the compromised models. The attack requires network access to the MLflow server and valid authentication, but no user interaction beyond normal model loading operations by victims. The fix in commit d7290811d8f3c95366d80109424edc1fb1ad966f adds proper authorization enforcement to MPU endpoints.
Defensive priority
P1 - Immediate Action Required
Recommended defensive actions
- Upgrade MLflow to version 3.10.0 or later immediately if running `--serve-artifacts` mode
- Audit artifact access logs for unauthorized MPU operations on `/mlflow-artifacts/mpu/*` endpoints between vulnerability introduction and patch deployment
- Verify artifact integrity for all models uploaded or modified during the exposure window
- Implement network segmentation to restrict access to MLflow artifact serving endpoints to authorized infrastructure only
- Review and validate model loading pipelines to detect potential supply chain tampering before production deployment
- Consider disabling `--serve-artifacts` mode temporarily if immediate patching is not feasible and artifact serving is not critical to operations
Evidence notes
The CVE description and NVD record confirm the authorization bypass affects MPU endpoints specifically. The fix commit (d7290811d8f3c95366d80109424edc1fb1ad966f) indicates resolution in MLflow 3.10.0. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) supports the CRITICAL severity rating with network attack vector, low complexity, and high impacts across confidentiality, integrity, and availability. CWE-862 (Missing Authorization) is identified as the weakness type.
Official resources
2026-05-25